War in the Shadows

Here’s a little thought experiment for you. Let’s imagine for a moment that under the cover of darkness, a hostile foreign power landed a covert team of intelligence operatives on an American beach. They secretly infiltrated the headquarters of a major US corporation, ransacked the company’s computer files, and then detonated a bomb in the company’s basement, destroying millions of dollars worth of property. Their mission completed, the agents then slipped away, never to be seen again.

A version of this tale was offered by New York Times cybersecurity reporter, David Sanger, during a screening and panel discussion on Alex Gibney’s Zero Days last year at Fordham Law School’s Center on National Security. And as far-fetched the story may seem, it’s not too far from reality—the 2014 cyberattack on Sony Pictures by hackers affiliated with North Korea inflicted a similar level of real-world carnage. While the same attack via conventional means would certainly demand a military response, many would further argue that it would be nothing short of an act of war. Yet similar, unconventionally destructive cybersecurity intrusions happen waymoreoften than the public perceives.

***

Gibney’s documentary details the development of Stuxnet, a frighteningly advanced computer worm designed by the US and Israeli intelligence services for a specific, singular purpose: to sabotage and destroy centrifuges used for the enrichment of uranium at an Iranian nuclear facility. Uranium enrichment is a necessary stepping stone towards weapons development, and according to the film, Stuxnet was intended to forestall a preemptive Israeli airstrike on the facility, one which would certainly draw the U.S. into another long, costly conflict in the Middle East.

The film was a harrowing portrait of national hubris from the U.S. perspective. It used a nifty device of letting an actor deliver frank testimonies by current and former NSA employees on US cybersecurity tactics and policy. But my primary takeaway from the film and the event as a whole was that cybersecurity today is dangerously misunderstood in proportion to the threat we face. While certainly not the first cyberattack, Stuxnet was a significant escalation in a growing shadow war between nation-states, and it will only get worse from here.

Consider, for instance, the WannaCry malware attack. WannaCry was a form of ransomware, meaning its purpose is to lock out computers from their users in exchange for money, in this case, bitcoin. In May 2017, it froze hundreds of thousands of machines worldwide, costing billions of dollars worth in damages and crippling the National Health Service in the UK. US officials once again attributed the attack to North Korea.

In October 2016, a huge distributed denial of service (DDoS) attack hobbled huge sections of the internet, including prominent websites Twitter, Netflix, and the New York Times. Experts determined that the engine of this momentary destruction was the Mirai (Japanese for “future”) botnet, infecting internet-connected, household “smart” devices like webcams, televisions, even refrigerators and light bulbs. Cybersecurity experts had never encountered this before. There are 15 billion smart home devices—the so-called Internet of Things—in the wild today, and that number is expected to more than triple by 2020. They were naturally alarmed, but no evidence of state sponsorship was found.

And then there was Russia.

The Kremlin has a long history of exerting influence abroad using nontraditional means. In 2007, it was widely suspected of launching a massive cyberattack on the Estonian government, banking and media sectors in retaliation for plans to move a Soviet-era war monument outside the capital of Tallinn. Nowadays, it has moved on to influencing elections with run-of-the-mill phishing attacks and disinformation campaigns, the true nature of which we are still trying to figure out.

***

It is one thing for a creative individual or a rogue state to bring down a website or hack a Twitter page, but to inflict real-world damage, e.g. compromise a power grid, or to cripple a foreign adversary’s nuclear program as Stuxnet aimed to do, one reaches an entirely different level of possibility. As one of the guests at the panel mentioned, what is stopping a reckless Pakistan or India from spoofing a nuclear attack on the other state, with only minutes (if that much) to verify and respond? When malware extends beyond the boundaries of computer code into the physical realm, people can get hurt in ways previously unthought of.

Foreign policy practitioners familiar with nuclear proliferation are no doubt aware that in terms of cyberwarfare, once a door is opened, it is very difficult to close it. It is unlikely nations like Russia, North Korea, and Iran, which each have limited military and economic power to influence countries outside their immediate region (especially the United States), will relinquish any tool they may have to achieve their interests. And since it is difficult to definitively attribute a cyberattack, plausible deniability among nation-states risks leading to a Wild West atmosphere in which anything goes, so long as no one can pin it on you. There are currently no international treaties or norms to govern when or how cyberwarfare can be utilized, or if it should ever be at all.

So what can we do?

First things first, robust cybersecurity provisions and investments should be included in any infrastructure development plans put forward from here on out. The fact that our national infrastructure is so diverse and outdated likely protects us from a devastating vulnerability, but that shouldn’t be an excuse to leave the front door open nor should that be counted on as a sufficient defense. Governments (and private companies as well) need to be proactive in future-proofing the U.S. That involves a serious effort toward improving education around good cybersecurity practices as well.

As long as congressional Republicans downplay or disavow the boldest, most far-reaching cyber campaign against the U.S. so far—the Russian hackings and disinformation campaign in the 2016 election—we will never understand the true nature of the threat. A shameless loyalty to party over country does a severe disservice to every American, and emboldens our adversaries to consider future attacks instead of drawing a line in the sand. The party in power should behave responsibly and recognize the long-term risks around propping up the President at any cost.

Internationally, nations can do better than maintain a dangerous air of secrecy around cyberwarfare, even if that means curtailing their own behavior. Governments need to have clear foresight and enact treaties to cooperate, communicate, and mitigate their worst impulses for the sake of global security and stability, just as the U.S. and the U.S.S.R. did with the START treaties at the height of the Cold War. If we can regulate nuclear weaponry, easily the most destructive weapon known to humanity, we can certainly accomplish similar goals with cyberwarfare. But that requires governments to be more transparent and recognize that the dangers in both are inherently similar. After the horrors of Hiroshima and Nagasaki, it became painfully clear to an entire generation of Japanese citizens that restraint was not only necessary but a matter of survival. We cannot trust governments to arrive at a similar conclusion regarding cyberwarfare by themselves.